Visit NES for Jackson Home Page
Jackson Core 2.13.x Release Notes
2 versions
Comprehensive release notes and changelog for Jackson Core 2.13.x, including security patches, bug fixes, and feature updates across all supported versions.
March 2026
2.13.7
Released Mar 3, 2026 Full Version:
2.13.5-jackson-core-2.13.7
Bug Fixes
This release patches the following:
- GHSA-72hv-8253-57qq: Number Length Constraint Bypass in Async Parser
- The default maximum length of a numeric value is 1000 to prevent potential denial-of-service attacks.
- JsonFactory builder has streamReadConstraints for configuring the max number length.
- Possible Breaking Change: Applications that rely on number lengths >=1000 will need to increase the maximum allowed length.
Dependency Upgrades
- Jackson BOM (NES)
2.13.5-jackson-bom-2.13.7
September 2025
2.13.6
Released Sep 25, 2025 Full Version:
2.13.5-jackson-core-2.13.6
Notes
- This release originates from the open‑source jackson-core project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
Bug Fixes
This release patches the following:
- CVE-2025-52999: Nested data handling flaw in Jackson Core
- The default maximum nesting level is 1000 to prevent potential denial-of-service attacks.
- JsonFactory builder has streamReadConstraints for configuring the max nesting level.
- Possible Breaking Change: Applications that rely on specific nested data structures >=1000 will need to increase the maximum allowed nesting level.
Dependency Updates
- Jackson BOM (NES)
2.13.5-jackson-bom-2.13.6
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh